#!/bin/sh # shellcheck disable=SC2154 # only run this on systemd systems, we handle the decrypt in mount-zfs.sh in the mount hook otherwise [ -e /bin/systemctl ] || [ -e /usr/bin/systemctl ] || return 0 # shellcheck source=zfs-lib.sh.in . /lib/dracut-zfs-lib.sh decode_root_args || return 0 # There is a race between the zpool import and the pre-mount hooks, so we wait for a pool to be imported while ! systemctl is-active --quiet zfs-import.target; do systemctl is-failed --quiet zfs-import-cache.service zfs-import-scan.service && return 1 sleep 0.1s done BOOTFS="$root" if [ "$BOOTFS" = "zfs:AUTO" ]; then BOOTFS="$(zpool get -Ho value bootfs | grep -m1 -vFx -)" fi # if pool encryption is active and the zfs command understands '-o encryption' if [ "$(zpool list -H -o feature@encryption "${BOOTFS%%/*}")" = 'active' ]; then # if the root dataset has encryption enabled ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${BOOTFS}")" if ! [ "${ENCRYPTIONROOT}" = "-" ]; then KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")" # continue only if the key needs to be loaded [ "$KEYSTATUS" = "unavailable" ] || exit 0 KEYLOCATION="$(zfs get -H -o value keylocation "${ENCRYPTIONROOT}")" case "${KEYLOCATION%%://*}" in prompt) for _ in 1 2 3; do systemd-ask-password --no-tty "Encrypted ZFS password for ${BOOTFS}" | zfs load-key "${ENCRYPTIONROOT}" && break done ;; http*) systemctl start network-online.target zfs load-key "${ENCRYPTIONROOT}" ;; file) KEYFILE="${KEYLOCATION#file://}" [ -r "${KEYFILE}" ] || udevadm settle [ -r "${KEYFILE}" ] || { info "Waiting for key ${KEYFILE} for ${ENCRYPTIONROOT}..." for _ in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do sleep 0.5s [ -r "${KEYFILE}" ] && break done } [ -r "${KEYFILE}" ] || warn "Key ${KEYFILE} for ${ENCRYPTIONROOT} hasn't appeared. Trying anyway." zfs load-key "${ENCRYPTIONROOT}" ;; *) zfs load-key "${ENCRYPTIONROOT}" ;; esac fi fi